As previously discussed EQAO has announced that the technical failure of the online OSSLT was due to “an intentional, malicious and sustained Distributed Denial of Service (DDoS) attack—a type of cyberattack.” However some evidence has surfaced that contradicts those claims.

ICT Educator Elliot Royle tweeted  a link to the Digital Attack Map for October 20, 2016.

The Digital Attack Map “presents data gathered and published by Arbor Networks ATLAS global threat intelligence system” and shows all the DDoS attacks that happen around the world on any given day. It shows the source, target and duration of any DDoS attacks on that day.

A typical day like October 19th looks like this:

As you can see there were three DDoS attacks that day, targeting Brazil, The US and Great Britain. As is typical the sources of the attacks are routed through countries all around the world.

Here is the Digital Attack Map for October 20th, the day EQAO said the OSSLT was taken down by a DDOS


As you can see this map looks very different. There is some distributed traffic and an attack centred on The USA, but no attacks converging on Canada. Not one.

As another point of comparison, here’s the Digital Attack Map for October 21st, the day of the massive Dyn DDoS attack, the largest ever (so far):

Again, this looks quite different than the activity of October 20th when the OSSLT was cancelled.

So what can we make of this? There are only a few options.

The Digital Attack Map may be wrong. Arbour admits that while the “data represented in the Digital Attack Map is sourced from one of the most complete data sets available, it is an incomplete picture. The data may misidentify or exclude attack activity, and is intended to present high level trends in significant attacks as they are observed by Arbor Networks”.

There may have been an insignificant attack that doesn’t show on the map, but then EQAO’s system should have been able to withstand an insignificant attack.

Another option is that the failure of the online OSSLT wasn’t caused by a DDoS at all. This would be consistent with the reports by teachers that the MIST platform failed when it was tested last March and it crashed when it was used by Tennessee schools in February.

Perhaps EQAO can explain why Arbor Networks didn’t detect a DDoS attack on the day they said one took down the OSSLT?